def create_service_account(session, actor, name, description, machine_set, owner):
# type: (Session, User, str, str, str, Group) -> ServiceAccount
"""Creates a service account and its underlying user.
Also adds the service account to the list of accounts managed by the owning group.
Throws:
BadMachineSet: if some plugin rejected the machine set
DuplicateServiceAccount: if a user with the given name already exists
"""
user = User(username=name, is_service_account=True)
service_account = ServiceAccount(user=user, description=description, machine_set=machine_set)
if machine_set is not None:
_check_machine_set(service_account, machine_set)
try:
user.add(session)
service_account.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise DuplicateServiceAccount("User {} already exists".format(name))
# Counter is updated here and the session is committed, so we don't need an additional update
# or commit for the account creation.
add_service_account(session, owner, service_account)
AuditLog.log(session, actor.id, "create_service_account", "Created new service account.",
on_group_id=owner.id, on_user_id=service_account.user_id)
return service_account
def create_service_account(self,
name,
owner,
machine_set,
description,
initial_metadata=None):
# type: (str, str, str, str, Optional[Dict[str,str]]) -> None
group = Group.get(self.session, name=owner)
if not group:
raise GroupNotFoundException(owner)
# Create the service account in the database.
user = SQLUser(username=name, is_service_account=True)
service = SQLServiceAccount(user=user,
machine_set=machine_set,
description=description)
user.add(self.session)
service.add(self.session)
# Flush the account to allocate an ID.
self.session.flush()
# Set initial user metadata fields if present.
if initial_metadata is not None:
for key, value in initial_metadata.items():
# TODO: move this to use the hexagonal architecture model.
set_user_metadata(self.session, user.id, key, value)
# Create the linkage to the owner.
GroupServiceAccount(group_id=group.id,
service_account=service).add(self.session)
def service_accounts(session, users, groups):
user = User(username="******", is_service_account=True)
service_account = ServiceAccount(user=user,
description="some service account",
machine_set="some machines")
user.add(session)
service_account.add(session)
session.flush()
add_service_account(session, groups["team-sre"], service_account)
return {"*****@*****.**": service_account}
def create_service_account(self, name, owner, machine_set, description):
# type: (str, str, str, str) -> None
group = Group.get(self.session, name=owner)
if not group:
raise GroupNotFoundException(group)
# Create the service account in the database.
user = SQLUser(username=name, is_service_account=True)
service = SQLServiceAccount(user=user,
machine_set=machine_set,
description=description)
user.add(self.session)
service.add(self.session)
# Flush the account to allocate an ID, and then create the linkage to the owner.
self.session.flush()
GroupServiceAccount(group_id=group.id,
service_account=service).add(self.session)
def mark_disabled_user_as_service_account(self, name, description="", mdbset=""):
# type: (str, str, str) -> None
"""Transform a disabled user into a disabled, ownerless service account.
WARNING: This function encodes the fact that the user and service account repos
are in fact the same thing, as it assumes that a service account is just a user
that is marked in a special way. This is a temporary breaking of the abstractions
and will have to be cleaned up once the repositories are properly separate.
"""
user = SQLUser.get(self.session, name=name)
if not user:
raise UserNotFoundException(name)
service_account = SQLServiceAccount(
user_id=user.id, description=description, machine_set=mdbset
)
service_account.add(self.session)
user.is_service_account = True
def create_service_account(self, service_account, owner, description="", machine_set=""):
# type: (str, str, str, str) -> None
self.create_group(owner)
group_obj = Group.get(self.session, name=owner)
assert group_obj
if User.get(self.session, name=service_account):
return
user = User(username=service_account)
user.add(self.session)
service_account_obj = ServiceAccount(
user_id=user.id, description=description, machine_set=machine_set
)
service_account_obj.add(self.session)
user.is_service_account = True
self.session.flush()
owner_map = GroupServiceAccount(
group_id=group_obj.id, service_account_id=service_account_obj.id
)
owner_map.add(self.session)
def mark_disabled_user_as_service_account(self,
name,
description="",
mdbset=""):
# type: (str, str, str) -> None
"""Transform a disabled user into a disabled, ownerless service account.
WARNING: This function encodes the fact that the user and service account repos
are in fact the same thing, as it assumes that a service account is just a user
that is marked in a special way. This is a temporary breaking of the abstractions
and will have to be cleaned up once the repositories are properly separate.
"""
user = SQLUser.get(self.session, name=name)
if not user:
raise UserNotFoundException(name)
service_account = SQLServiceAccount(user_id=user.id,
description=description,
machine_set=mdbset)
service_account.add(self.session)
user.is_service_account = True
def create_service_account(self,
service_account,
owner,
description="",
machine_set=""):
# type: (str, str, str, str) -> None
self.create_group(owner)
group_obj = Group.get(self.session, name=owner)
assert group_obj
if User.get(self.session, name=service_account):
return
user = User(username=service_account)
user.add(self.session)
service_account_obj = ServiceAccount(user_id=user.id,
description=description,
machine_set=machine_set)
service_account_obj.add(self.session)
user.is_service_account = True
self.session.flush()
owner_map = GroupServiceAccount(
group_id=group_obj.id, service_account_id=service_account_obj.id)
owner_map.add(self.session)
